You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by skybird <sn...@gmail.com> on 2014/03/03 08:37:40 UTC
authcBasic with shiro-cas
I have a web application that has some web services and some account pages.
When protected account pages are accessed it authenticates against CAS. That
works fine.
If a webservice is invoked by the same application the rest service should
not need authentication any more. However rest services are also exposed and
I want authcBasic enabled on them if the client is not my own web app. So my
question is how do I configure the /rest/** url so that it does not ask for
authentication if it is being called from an authenticated CAS user but
prompt for basic auth if the client is not my web app?
Heres my shiro urls section config:
[urls]
/shiro-cas = casFilter
/account/** = roles[ROLE_USER]
/rest/** = authcBasic
--
View this message in context: http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: authcBasic with shiro-cas
Posted by skybird <sn...@gmail.com>.
Thanks for the confirmation Ryan! Thats exactly what I wanted to hear, I was
headed off on a wrong path, I was actually writing a custom realm/matcher,
thanks for steering me to the correct path. Oh well on my way to write a
custom filter. If you have anything to share please do so.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579802.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: authcBasic with shiro-cas
Posted by Ryan Connolly <ry...@gmail.com>.
Hi. I had the same desire and addressed this with the help of a response
from Jerome on another thread. I've pasted his response below in hopes this
gets you to your end result add well:
Hi,
It depends if your applications host or call external web services.
If your apps host web services and you want to be able to authenticate
through basic auth to access them, you will need to create a custom
BasciHttpAuthenticationFilter, taking the credentials and sending them to
the CAS REST API : https://wiki.jasig.org/display/CASUM/RESTful+API.
If your apps call web services, it's clearly the proxy use case. Right now,
the shiro-cas module does not support the proxy feature. Though, one
extension I created to integrate with various protocols as a client does :
https://github.com/bujiio/buji-pac4j. It might be worth to give it a try.
Best regards,
Jérôme
Thanks for the explanation. Do I need a custom realm for authcBasic so that
it can take the credentials and authenticate against cas server? All im
trying to achieve is that when the user enters the credentials at the
authcBasic prompt they should be authenticated against cas. Am i missing
something or is this impossible?
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579790.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: authcBasic with shiro-cas
Posted by skybird <sn...@gmail.com>.
Thanks for the explanation. Do I need a custom realm for authcBasic so that
it can take the credentials and authenticate against cas server? All im
trying to achieve is that when the user enters the credentials at the
authcBasic prompt they should be authenticated against cas. Am i missing
something or is this impossible?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579790.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: authcBasic with shiro-cas
Posted by jleleu <le...@gmail.com>.
Hi,
The authcBasic filter will generate a UsernamePasswordToken
(username+password), so it needs a Realm able to deal with
UsernamePasswordToken.
The casFilter will generate a CasToken (CAS service ticket), so it needs a
CasRealm to handle it.
You can't mix both as they don't use the same information.
Best regards,
Jérôme
2014-03-14 17:50 GMT+01:00 skybird [via Shiro User] <
ml-node+s582556n7579759h97@n2.nabble.com>:
> Can I use the same casRealm that I have already defined for the /web/**
> urls? If so, how can I configure /api/** to use the already defined realm
> for authcBasic?
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579759.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579760.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: authcBasic with shiro-cas
Posted by skybird <sn...@gmail.com>.
Can I use the same casRealm that I have already defined for the /web/** urls?
If so, how can I configure /api/** to use the already defined realm for
authcBasic?
--
View this message in context: http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579759.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: authcBasic with shiro-cas
Posted by jleleu <le...@gmail.com>.
Here I am.
The CasFilter generates a CasToken authenticated by the CasRealm, but I
don't see any realm for your basic authentication...
2014-03-06 17:22 GMT+01:00 skybird [via Shiro User] <
ml-node+s582556n7579741h39@n2.nabble.com>:
> Dominic Farr wrote
> one line does look strange in your shiro.ini
>
> /login.jsp = anon
>
> this line has been removed, I think it was being ignored anyway. but
> thanks.
>
> Dominic Farr wrote
> Normally you point your login url to the filter name that handles it...
>
> and I think this line in the main section does exactly what you are
> referring to :
>
> roles.loginUrl =
> http://cas.domain.com/login?service=http://app.domain.com:8080/myapp/shiro-cas
>
> Still the same issue, I have run your sample app and authc and authcBasic
> filters work fine on different URLs in the same app, but in my setup doesnt
> seem like casFilter and authcBasic can co-exist/share session data in the
> same app.
>
> I know Jerome is the shiro-cas expert...lets see if he has anything to
> say.
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579741.html
> To start a new topic under Shiro User, email
> ml-node+s582556n582556h4@n2.nabble.com
> To unsubscribe from Shiro User, click here<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=582556&code=bGVsZXVqQGdtYWlsLmNvbXw1ODI1NTZ8LTExNzY2MzcxMTY=>
> .
> NAML<http://shiro-user.582556.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579742.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: authcBasic with shiro-cas
Posted by skybird <sn...@gmail.com>.
Dominic Farr wrote
> one line does look strange in your shiro.ini
>
> /login.jsp = anon
this line has been removed, I think it was being ignored anyway. but thanks.
Dominic Farr wrote
> Normally you point your login url to the filter name that handles it...
and I think this line in the main section does exactly what you are
referring to :
roles.loginUrl =
http://cas.domain.com/login?service=http://app.domain.com:8080/myapp/shiro-cas
Still the same issue, I have run your sample app and authc and authcBasic
filters work fine on different URLs in the same app, but in my setup doesnt
seem like casFilter and authcBasic can co-exist/share session data in the
same app.
I know Jerome is the shiro-cas expert...lets see if he has anything to say.
--
View this message in context: http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579741.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: authcBasic with shiro-cas
Posted by Dominic Farr <do...@gmail.com>.
not sure I can help I've not integrated shiro and cas.
one line does look strange in your shiro.ini
/login.jsp = anon
Normally you point your login url to the filter name that handles it, in a
sort of loopback. The filter understands this loopback and processes the
request differently.
For example. (
https://github.com/dominicfarr/skybird-shiro/blob/master/src/main/webapp/WEB-INF/shiro.ini#L18
)
[main]
authc.loginUrl = /web/login.html
[urls]
/web/login.html = authc
On 6 March 2014 02:15, skybird <sn...@gmail.com> wrote:
> Thanks for you reply... I tried your suggestion but I am still having some
> issues with basic auth. The basic auth prompt does shows up whenever I try
> to access anything under "/api/**", but it never succeeds, it keeps on
> prompting me. The only other difference in my set up is that I am using
> CASFilter/Realm setup which works absolutely fine when I access anything
> under "/web/**".
>
> Here my full shiro.ini
>
> [main]
> casFilter = org.apache.shiro.cas.CasFilter
> casFilter.failureUrl = /error.jsp
> casFilter.successUrl = /home.jsp
>
> casRealm = org.apache.shiro.cas.CasRealm
> casRealm.defaultRoles = ROLE_USER
> casRealm.casServerUrlPrefix = http://cas.domain.com/
> casRealm.casService = http://app.domain.com:8080/myapp/shiro-cas
> casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
> securityManager.subjectFactory = $casSubjectFactory
>
> sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
> sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
>
> securityManager.sessionManager = $sessionManager
> securityManager.sessionManager.sessionDAO = $sessionDAO
>
> roles.loginUrl =
>
> http://cas.domain.com/login?service=http://app.domain.com:8080/myapp/shiro-cas
>
> [urls]
> /shiro-cas = casFilter
> /login.jsp = anon
> /web/** = roles[ROLE_USER]
> /api/** = authcBasic
> /logout = logout
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579730.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: authcBasic with shiro-cas
Posted by skybird <sn...@gmail.com>.
Thanks for you reply... I tried your suggestion but I am still having some
issues with basic auth. The basic auth prompt does shows up whenever I try
to access anything under "/api/**", but it never succeeds, it keeps on
prompting me. The only other difference in my set up is that I am using
CASFilter/Realm setup which works absolutely fine when I access anything
under "/web/**".
Here my full shiro.ini
[main]
casFilter = org.apache.shiro.cas.CasFilter
casFilter.failureUrl = /error.jsp
casFilter.successUrl = /home.jsp
casRealm = org.apache.shiro.cas.CasRealm
casRealm.defaultRoles = ROLE_USER
casRealm.casServerUrlPrefix = http://cas.domain.com/
casRealm.casService = http://app.domain.com:8080/myapp/shiro-cas
casSubjectFactory = org.apache.shiro.cas.CasSubjectFactory
securityManager.subjectFactory = $casSubjectFactory
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionDAO = org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionDAO = $sessionDAO
roles.loginUrl =
http://cas.domain.com/login?service=http://app.domain.com:8080/myapp/shiro-cas
[urls]
/shiro-cas = casFilter
/login.jsp = anon
/web/** = roles[ROLE_USER]
/api/** = authcBasic
/logout = logout
--
View this message in context: http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708p7579730.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: authcBasic with shiro-cas
Posted by Dominic Farr <do...@gmail.com>.
ignore me. your configuration should work.
Here is an example project that uses two types of authentication of which
one is basic auth.
https://github.com/dominicfarr/skybird-shiro
authenticating with either allows access to the other and vice versa
On 3 March 2014 08:07, Dominic Farr <do...@gmail.com> wrote:
> I think your problem is that basic authentication isn't stored in a
> session or session identifier, and therefore shiro isn't aware of it in the
> same way CAS or authC filter is.
>
> Why not proxy your web calls to your api behind a url that needs casFilter.
>
> -d
>
>
>
> On 3 March 2014 07:37, skybird <sn...@gmail.com> wrote:
>
>> I have a web application that has some web services and some account
>> pages.
>> When protected account pages are accessed it authenticates against CAS.
>> That
>> works fine.
>>
>> If a webservice is invoked by the same application the rest service should
>> not need authentication any more. However rest services are also exposed
>> and
>> I want authcBasic enabled on them if the client is not my own web app. So
>> my
>> question is how do I configure the /rest/** url so that it does not ask
>> for
>> authentication if it is being called from an authenticated CAS user but
>> prompt for basic auth if the client is not my web app?
>>
>> Heres my shiro urls section config:
>>
>> [urls]
>> /shiro-cas = casFilter
>> /account/** = roles[ROLE_USER]
>> /rest/** = authcBasic
>>
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
Re: authcBasic with shiro-cas
Posted by Dominic Farr <do...@gmail.com>.
I think your problem is that basic authentication isn't stored in a session
or session identifier, and therefore shiro isn't aware of it in the same
way CAS or authC filter is.
Why not proxy your web calls to your api behind a url that needs casFilter.
-d
On 3 March 2014 07:37, skybird <sn...@gmail.com> wrote:
> I have a web application that has some web services and some account pages.
> When protected account pages are accessed it authenticates against CAS.
> That
> works fine.
>
> If a webservice is invoked by the same application the rest service should
> not need authentication any more. However rest services are also exposed
> and
> I want authcBasic enabled on them if the client is not my own web app. So
> my
> question is how do I configure the /rest/** url so that it does not ask for
> authentication if it is being called from an authenticated CAS user but
> prompt for basic auth if the client is not my web app?
>
> Heres my shiro urls section config:
>
> [urls]
> /shiro-cas = casFilter
> /account/** = roles[ROLE_USER]
> /rest/** = authcBasic
>
>
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/authcBasic-with-shiro-cas-tp7579708.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>